Shell Links or more commonly known to native Windows users as shortcut files — technically known by their extension LNK — serve to be one of the most fruitful initial access vectors for threat actors. A seemingly harmless file with a dubious icon and the hopes of malware operators on its back — the file kicks into action and spurs stages onto stages of malware to compromise a system — bravo!
The purpose of this article is to dig into the Shell Link Binary file format powering LNK files and analyzing how these simple shortcuts (LNKs) are potential gateways to…
Cross-references, or more commonly referred to as xrefs, are used to identify references (usage/call or declaration) of a particular function, string, variable, etc. Example — if you’ve identified a particular function (a VM check) being called inside another subroutine (installation of a backdoor), you might be interested in knowing other calls to the same function.
Cross-references can be categorized as follows:
Let’s explore the two in a short section next.
Code cross-references are used to identify relationships between function calls, declarations, or jumps. Let’s take a look at an example.
Now that the intelligence community is finally reaching its due maturity, advisories shared with fellow organizations often contain useful detection use-cases. If we were to travel back a few years, an average analyst would dread the manual conversion of these use-cases into searchable queries for the logging platform or SIEM. What we duly needed was a standard — a way to write a query once and search it everywhere —that is precisely what Sigma provides.
Sigma is the brainchild of Florian Roth and Thomas Patzke. To quote the GitHub page of the open-source tool, Sigma:
is a generic and open…
Attackers have long been searching for ways to meddle with the day-to-day operations of an average computer user. It’s no wonder the Microsoft Office suite has been one of the key targets of adversaries to compromise endpoints. What better than to dispatch a seemingly-harmless office document to a rather naive user? It’s mayhem.
Owing to the popularity of Office documents as a technique to carry out execution, I’ll be discussing an interesting strategy employed by attackers to further increase the chances of evasion. Although first brought to light by Didier Stevens in February 2020 — the technique VBA Purging is…
The article is a write-up for challenge number one — the Web Server Case — by Ali Hadi on his blog, ‘ashemery.com’. The premise is set to:
A company’s web server has been breached through their website.
For this investigation, we’re asked to answer the following questions:
Sysmon, short for System Monitor, is a utility tool developed by Mark Russinovich, as part of the Sysinternals suite. The utility is registered in a Windows box as a system service and a device driver, which in sync, help log activities across the environment to the Windows Event log. Just a quick analysis of the logs generated by Sysmon can help identify malware, intrusions, and breaches within the network.
Due to active development of the project, newer artifacts and evidence sources are constantly being added to Sysmon’s capabilities. …
It’s unfortunate that the Windows Command Prompt, the descendant of the prehistoric command.com from MS-DOS, has no persistent storage of command execution. It does, however, support temporary storage of commands executed in an active session. So, if an attacker proceeds to enumerate other hosts or ex-filtrate data using a console window, does a defender have no means of identifying the execution of a binary? Well, it’s not entirely true.
Windows does support command-line auditing or process creation auditing to some extent.
The event ID, 4688, is widely recognized on Windows operating systems for “Process Creation”.
Although the auditing for process…
Ah, the sweet days of running your memory sample through volatility. It’s not over yet — but Microsoft has done an amazing job at releasing a new service, which can perform a full-blown volatile memory analysis of a Linux system, with special focus on detecting rootkits.
Let’s go in a little more detail now.
‘Project Freta’ is a free, cloud-based solution by Microsoft which can be used to automated full-system volatile memory analysis of Linux systems — the memory has to be acquired in order to generate reports using Freta.
Freta is available for usage/automation via:
Before you get started with the deployment of QRadar in your infrastructure, you need to understand the several components it makes use of to function properly. IBM QRadar SIEM (Security Information and Event Management) features a modular architecture where you can scale its deployment to add on more devices, endpoints, and machines in your infra to help with your analysis and logging needs. You can also add in modules to help with the analysis, which are easily provided by IBM on the App Exchange. The list includes but is not inclusive to:
Let’s continue our series on Uncovering Attacks by discussing Windows DLLs and a few types of attack vectors relevant to them
Dynamic-link Libraries (DLLs) are Microsoft’s implementation of shared code on the Windows Operating System. By means of modularizing code into smaller segments and individual files, Windows applications can utilize this shared code. This allows them to avoid including the same piece of code, again and again.
Usually, the functions written in a DLL file are exportable. The DllMain function in a particular file carries out the basic tasks, whereas the individual functions can then be imported into code as…